03-20-2018 07:57 AM
We see similar issue and get below error when accessing the load balanced Oozie UI:
HTTP Status 403 - GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
Error goes away if we individually load the underlying Oozie instance UI's and then hit the load balanced Oozie UI.
We were told that our load balancer is not passing the SPNEGO authentication properly.
Any one else have this issue?
03-20-2018 08:59 AM
The issue you describe may be different and the original thread was quite large, so I created a new thread for you.
Since you are able to connect to the Oozie UIs directly, that indicates they are set up for Kerberos properly and that your client can get Service Tickets for those servers.
The "Failed to find any Kerberos credentails" error, though, indicates that perhaps your client cannot get a Service Ticket for your Load Balancer.
The reason you are able to connect via the load balancer after you have already connected to the Oozie UIs directly is that you have already gotten a token set in your cookies that is used for authentication. If you restart the browser, you will need to authenticate again.
As for the problem itself, the process is like this:
-- browser connects to the host you specify in the url
-- LB refers to one of the Oozie server
-- Oozie server replies with 401 (auth required)
-- Browser obtains Service Ticket for host specified in the url
-- Browser passes AS_REQ to LB to Oozie server
Finding out where the issue is occurring in this system is important. The first thing I would suggest is verifying that on your browser host, the browser is able to get a Service Ticket for the host specified in the browser URL.
What OS are you using for your browser?
03-20-2018 09:22 AM
Thanks for your response!
Browser is running Windows 10. We can sometimes reproduce this issue using "curl" from a Redhat 7 host
Regarding "Browser obtains Service Ticket for host specified in the url" - How can we check this on either Windows or Redhat host? Sorry, I am not familiar with the terminology